The marketplace for commercial hacking tools and services is set to expand dramatically between now and 2028, leading to the victimisation of more organisations and individuals in a far more unpredictable threat landscape, according to threat researchers at the UK’s National Cyber Security Centre (NCSC).
Published on the opening day of the NCSC’s annual CyberUK conference, currently underway in Belfast, the report offers fresh insights into how the barriers to entry for irresponsible or malicious cyber actors is lowering and how commercial products such as spyware, pen-testing and red teaming tools – and even freelance “hackers-for-hire” – are increasing the risk of unpredictable targeting or unintentional escalation.
It highlights in particular how more than 80 countries have purchased cyber intrusion software – such as the Pegasus mobile trojan built by disgraced Israeli firm NSO Group – and used such tools to target activists, dissidents, foreign states, journalists and political opponents. It warns that the development of tools with similar capabilities is likely to diversify to meet demand.
“Over the next five years, the proliferation of cyber tools and services will have a profound impact on the threat landscape, as more state and non-state actors obtain capabilities and intelligence not previously available to them,” said the NCSC’s director of resilience and future technology, Jonathon Ellison.
“Our new assessment highlights that the threat will not only become greater but also less predictable as more hackers for hire are tasked with going after a wider range of targets and off-the-shelf products and exploits lower the barrier to entry for all.
“To maintain safety in cyberspace it is crucial these capabilities are managed with a responsible, proportionate and legally sound approach and working with international partners, the UK is determined to address this rising challenge,” said Ellison.
The report highlights how the irresponsible use of spyware is “almost certainly” going on at a scale far larger than we have imagined, and that we should expect to see more high-profile exposures of victims of this technology, and other commercial cyber tools.
It also explores how freelance hackers pose a growing corporate espionage threat, while potentially significant financial rewards from malicious activity may incentivise state employees or contractors to turn to hacking, particularly during the cost-of-living crisis. A similar trend was seen during the Covid-19 pandemic, when many technically savvy people who had been laid off or furloughed during various national lockdowns took to advertising their skills on underground hacking forums to try to pay their bills.
Sophisticated industry
The NCSC said that over the past 10 years, cyber intrusion has become an increasingly organised industry offering various products and services to “customers”, including off-the-shelf capabilities, bespoke services, and the sale of valid zero-days and tool frameworks.
It said that the sophistication of this industry was now reaching a point where it can rival the equivalent capabilities of advanced persistent threat (APT) groups that are ultimately funded, or at least tasked, by hostile intelligence agencies such as Russia’s GRU.
To better tackle this threat, the NCSC suggests that the commercial intrusion sector – that is to say, the legitimate developers of tools that have proven useful to malicious actors, such as Cobalt Strike and the like – may benefit from a more coherent and joined-up approach to international oversight, although a lack of consensus in this regard may hinder this.
Nevertheless, it said, establishing international consensus and norms on the development and sale of commercial cyber capabilities is likely to nudge commercial providers to do more to protect their products from misuse, and vet and limit who has access to them.